IPSec IKev2,RSA-Cert, PFSense <-> PFSense no NAT failed to bring net tunnel up?

beop911

Hallo Forum,

after trying several combinations with NAT from Home Office (strong swan OpenSuSE, Sophos, ..) and spending several hours,
I decided to go back to in my opinion the easiest possible setup (no NAT, both ends pfsense  2.3.2p1 RELEASE, only one Network <-> Network tunnel)

172.30.21.0/24    PFS_A (official static IP)  <–--> PFS_B (official static IP) 172.30.11.0/24

means "only"  ;) 172.30.21.0/24 <-> 172.30.11.0/24 tunnel where both A,B have also more such Networks (comes than later ...)

Setup-Data:
1.) setup Cert-CA on A + generate Server Cert, generate Client (B) certificate
    put Cert-CA.crt, Cert-B.crt,Cert-B.key on B via import certificate..
2.) IPSec - Parameter on both ends:
      Key Exchange version:      2 (later for  Home office I need NAT ..)
      Internet Protocols:          ipv4
      Interface:                          WAN
      Remote Gateway            IP-Adress of Peer
      Authentication Method  Mutual RSA
    My identifier                      My IP-Address
    Peer identifier                  Peer IP-Address
    My Certificate                    A (Server Cert), B (Client Cert)
    Peer Certificate Authority  Cert-CA of A
    Phase 1:
    Encryption Algorithm      AES 256Bits
    Hash Algorithm                SHA256
    DH Group                        14(2048)
    Lifetime                            28800
    Disable rekey                  false
    Disable Reauth                false
    Responder Only              A (true), B (false)
    MOBIKE                            disable
    Split connections            false
    Dead Peer Detection      enabled
    Delay                                10
    Max failures                    5
    Phase 2:
    Mode                                Tunnel IPv4
    Local Network                Network A(172.30.21.0/24), B(172.30.11.0/24)
    NAT/BINAT translation none
    Remote Network            Network A(172.30.11.0/24), B(172.30.21.0/24)
    Protocol                          ESP
    Encryption Algorithms  AES 256 Bits
    Hash Algorithms          SHA256
    PFS key group              14(2048)
    Lifetime                          3600
    Advanced settings:      Everything ist disabled except of:
    Configure Unique IDs as Yes
    Auto-exclude LAN addr  true

So if I starts the tunnel from B the Phase 1 succeeds and B also shows in the GUI that the tunnel (SPD) are setuped ...
But A shows in their locks, that there are problems see log (reverse odering of lines....)

Oct 17 15:06:17 charon 04[ENC] <bypasslan|1>generating IKE_AUTH response 1 [ IDr CERT AUTH N(AUTH_LFT) N(TS_UNACCEPT) ]
Oct 17 15:06:17 charon 04[IKE] <bypasslan|1>failed to establish CHILD_SA, keeping IKE_SA
Oct 17 15:06:17 charon 04[IKE] <bypasslan|1>traffic selectors 172.30.21.0/24|/0 === 172.30.11.0/24|/0 inacceptable
Oct 17 15:06:17 charon 04[CFG] <bypasslan|1>172.30.20.0/24|/0
Oct 17 15:06:17 charon 04[CFG] <bypasslan|1>proposing traffic selectors for other:
Oct 17 15:06:17 charon 04[CFG] <bypasslan|1>172.30.20.0/24|/0
Oct 17 15:06:17 charon 04[CFG] <bypasslan|1>proposing traffic selectors for us:
Oct 17 15:06:17 charon 04[CFG] <bypasslan|1>looking for a child config for 172.30.21.0/24|/0 === 172.30.11.0/24|/0
Oct 17 15:06:17 charon 04[IKE] <bypasslan|1>maximum IKE_SA lifetime 10510s
Oct 17 15:06:17 charon 04[IKE] <bypasslan|1>scheduling reauthentication in 9970s
Oct 17 15:06:17 charon 04[IKE] <bypasslan|1>IKE_SA bypasslan[1] state change: CONNECTING => ESTABLISHED

And after this, the IKE_SA is not useable at all, but why B shows in the GUI everything is fine ??
The shown Network 172.30.20.0/24 is also available on A, but nowhere be setuped for this tunnel …

So for me the "easy" - case doen't work either ... :-[
Pleas give me some Input to get it work, like it should ..

Thank you</bypasslan|1></bypasslan|1></bypasslan|1></bypasslan|1></bypasslan|1></bypasslan|1></bypasslan|1></bypasslan|1></bypasslan|1></bypasslan|1></bypasslan|1>